-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exception, when origin is null in CorsPolicyExtensions.cs #2318
Comments
From glatzert on Thursday, December 28, 2017 12:54:54 AM @mkArtakMSFT I can make some project up, if you like, but essentially use
It boils down to missing this one in the code:
|
From mkArtakMSFT on Thursday, December 28, 2017 9:54:43 AM @glatzert, to avoid any misunderstandings, I would appreciate if you could still share the very-minimum project with a repro. |
From glatzert on Friday, December 29, 2017 12:46:09 AM CORSRepro.zip |
Thanks for letting us know. I am able to repro this. I will look into how to fix this. |
Please note I only investigated the CORS part of the repro (did not include auth yet). This is where the exception gets thrown https://github.com/aspnet/CORS/blob/dev/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs#L19 @rynowak @kichalla Thoughts? I don't think it is safe to allow a malformed uri unless the policy states to allow any origin. According to w3c
It is not safe to assume that all malformed or null origin uri are in error |
Incorrectly formatted origin is treated as a malformed |
From glatzert on Wednesday, December 20, 2017 6:31:36 AM
After Login with ADFS, Chrome produces an POST request to my ASP.net Application, with the following Contents:
Metadata
Request Headers
CorsPolicyExtension.IsOriginAnAllowedSubdomain
will now throw the following:Which happens, because origin, is
null
and still gets passed to the check function.Addendum:
Origin is not
null
as I triaged on my first try- it's"null"
- which might or might not be a bug in Chrome ...Copied from original issue: aspnet/CORS#137
The text was updated successfully, but these errors were encountered: